Hardening Website Security – Part 1a: HSTS Preloading

In part 1 of this series of articles we described the HSTS header “Strict-Transport-Security”. This header is used to tell the clients web browser that HTTP Strict Transport Security mode should be enabled so that the browser should remember that this website only uses HTTPS and should not accept any unencrypted traffic. In this article we’re going to take this a step further an look at HSTS Preloading.

HSTS Preloading

As an addition to this, Google compile a list of HSTS enabled websites which is made available to (or more specifically compiled into) Chrome, Firefox and Safari so that they don’t even have to query the website in question for its headers, it knows to enforce HTTPS right away.

By doing this, attackers can no longer intercept and modify
headers sent over unencrypted HTTP to block the elevation to HTTPS, and thereby
carry out further Man-in-the-Middle (MITM) attacks.

In order to enable HSTS Preloading you must sign up to be included on the list.

How to Register

Requirements

First, in order to confirm that you are the owner of the
website in question, and that you definitely want preloading to be enabled, you
have to modify your “Strict-Transport-Security” header.

Where previously it read (optionally with or without the “includeSubDomains” directive):

If you have unencrypted HTTP enabled, it must be set to
redirect with either an HTTP response code of either 301 (Moved Permanently) or
302 (Found – previously Moved Temporarily) to the secure HTTPS site on the same host.

All subdomains must also have a valid HTTPS certificate (including “www.” if you have a DNS record for it).

Registration

Now that you’ve fulfilled the requirements, you can submit your site to the HSTS Preloading list by visiting the following website: https://hstspreload.org/

Once that’s done, you just need to wait. You can submit your
site to that website again to check on the status of your request.